Coverage · Attack paths

17 attack paths, built from your real setup.

Every route here is a break-in that real attackers ran in 2024, mapped onto the weak spots in your own environment — with the one fix that breaks the chain.

Attack paths
17
Microsoft 365
11
Azure
6
Fix breaks the chain
1

The problem

One finding rarely breaks you. The chain does.

Every security tool gives you a list of problems, and most of them, on their own, won't cause a breach. What matters is which ones combine. Tenant Strike says: these four, in this order, are how Storm-0501 ransomed three Azure environments last year — fix any one of them and the chain breaks. Then it tells you which fix is easiest.

The catalog · 17 patterns

Every attack path Tenant Strike models.

Microsoft 365 · 11 patterns

  • highcriticalMicrosoft 365

    Phish an admin → full tenant takeover

    One compromised Global Administrator account is the whole tenant: read every mailbox, take every file, plant backdoors, and push ransomware to your company's computers.

  • highcriticalMicrosoft 365

    Internet-exposed admin surface → credential reuse → tenant takeover

    A login page or management port left open to the internet is the way in; a password reused on Microsoft 365 turns it into a full takeover.

  • highcriticalMicrosoft 365

    Known CVE on public service → web shell → ransomware deployment

    When a flaw is announced in software you run facing the internet, attackers have a working exploit within days. Once one server falls, everything it can reach falls next.

  • highcriticalMicrosoft 365

    Password spray → mailbox takeover → business email compromise

    Without MFA on every account, guessing common passwords eventually works. It's the most common route to email fraud — and a top driver of small-business cyber-insurance claims.

  • highcriticalMicrosoft 365

    Domain spoofing → wire transfer / invoice fraud

    Without one email setting (DMARC) enforced, anyone on the internet can send mail that looks like it came from your domain. Your customers and your own staff are the victims.

  • highcriticalMicrosoft 365

    Endpoint compromise → OneDrive sync fanout → org-wide ransomware

    OneDrive keeps everyone's files in sync — which means ransomware on one laptop can fan out through the cloud to every synced computer in the company.

  • mediumhighMicrosoft 365

    Illicit OAuth consent → silent mailbox exfiltration

    One employee clicks 'Accept' on a malicious app, and it can read their mailbox from then on — no password needed, ever again. This attack rose sharply in 2024.

  • highhighMicrosoft 365

    Teams DM phishing → credential / OAuth-grant compromise

    All your phishing defenses guard email. A Teams direct message from a compromised partner account walks straight past every one of them.

  • mediumhighMicrosoft 365

    Anonymous SharePoint links → public data exposure

    Anonymous 'Anyone' links leak at every company size. Once one is out, you can't revoke it from the recipient — you can only delete the link itself.

  • mediumhighMicrosoft 365

    Edit-default share links → invoice/contract tampering

    When share links default to Edit, a casual click of the Share button hands out editing rights to invoices, contracts, and vendor lists. Anyone who receives one can change the document.

  • mediumhighMicrosoft 365

    Compromised vendor → stale guest account → lateral access

    Guest accounts that haven't signed in for 90+ days are doors nobody is watching. When a partner company is breached, the attacker inherits whatever access their guest account still has.

Azure · 6 patterns

  • highcriticalAzure

    Subscription Owner sprawl → tenant-wide cloud takeover

    'Owner' is the most powerful role in Azure — one account that can touch every server, secret, and log. Every extra Owner is a permanent target on someone's back.

  • highcriticalAzure

    Public Azure storage → silent data exfiltration

    Storage left open to anonymous downloads needs no stolen password at all. Several large 2024 leaks — including 43 TB of Microsoft's own research data — started exactly here.

  • highcriticalAzure

    Internet-exposed Azure VM → lateral movement → ransomware

    A server with remote access left open to the entire internet is an open door — and it's the exact way the Storm-0501 ransomware crew broke into Azure environments in 2024.

  • highcriticalAzure

    Public Azure SQL endpoint → data exfiltration

    A database firewall left wide open makes your data reachable from the internet. One common 'allow all' setting lets any Azure customer, anywhere in the world, knock on its door.

  • highcriticalAzure

    Leaked service-principal secret → subscription-scope cloud takeover

    App credentials are long-lived keys to your cloud. When one leaks — and they leak constantly, often in public code — whoever finds it inherits everything the app could touch.

  • mediumhighAzure

    No Defender + no log forwarding → silent multi-month dwell

    This one is a blind spot, not a single step. In 2024, attackers sat inside cloud environments for 200+ days on average before being found — only possible when logging and alerting have gaps.

How it works

From your scan results to a clear break-in route.

  1. 01

    Run a scan

    A standard Tenant Strike scan checks your Microsoft 365 and Azure setup. Attack paths need no extra setup — they're built from the same results.

  2. 02

    We connect them

    Tenant Strike looks for known attack patterns among your findings. When the pieces line up, it lays out the full route step by step, with the security gap behind each one.

  3. 03

    You fix one step to break the chain

    Each step shows the fix that closes it. Handle the easiest one and the whole route is broken on your next scan.

Sample attack path

One break-in route, start to finish.

HIGH likelihoodCRITICAL impact5 steps

Password spray → mailbox takeover → business email compromise

Without MFA enforced everywhere, guessing one weak password is enough to take over the first account. From inside that mailbox, the attacker reads invoice and payment conversations for weeks, then sends a forged invoice — and reroutes a real payment before anyone notices.

  1. 01

    They collect your staff's email addresses from LinkedIn and past data breaches.

  2. 02

    Password guessing

    T1110.003

    They try a few common passwords against every account, through an older sign-in method that skips MFA.

  3. 03

    One password works. No MFA challenge — they're in.

  4. 04

    Surveillance

    T1114.003

    A hidden forwarding rule quietly sends every incoming email to the attacker.

  5. 05

    The payoff

    T1657

    They send a forged payment request from the real mailbox, and a real payment lands in the attacker's account.

On the dashboard, each step lists the specific findings in your tenant that enabled it. Click any finding to jump straight to its fix.

Every path cites its sources

Every attack path is based on a documented, published breach — not our imagination. Each one links to its primary sources: CISA advisories, Microsoft incident reports, FBI fraud data, and Mandiant’s annual breach report.

See which routes are open in your tenant.

Pro includes all 17 attack paths, every Microsoft 365 and Azure check, and Vulnerability Watch.